IIS - This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms
Have you ever got the "
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." exception while trying to use some of the classes in the "
System.Security.Cryptography" namespace?
The exception normally thrown is a "
TargetInvocationException" exception and the message that accompanies it is usually the unhelpful "
Exception has been thrown by the target of an invocation". It is only when you drill down into the InnerException that you see the "
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
message. The reason that this exception is thrown is that you have
tried to use a cryptographic algorithm that is not FIPS compliant.
What is FIPS compliance? FIPS stands for
Federal
Information
Processing
Standards. (
link to more information) and are US Government standards that provide a benchmark for implementing cryptographic software.
WindowsXP
and later operating systems have both FIPS compliant and non-compliant
algorithms that can be used by developers. FIPS compliant algorithms are
those that have been validated by the FIPS 140 program. One can call
both the compliant and non-compliant algorithms as the check for FIPS
compliance is by default turned off.
How do you turn on and off FIPS compliance checking:
Two methods:
1. Go to Control Panel -> Administrative Tools -> Local Security Policy
Enable the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
2. Another method is to directly edit the registry by setting the following value to 0 (disable) or 1 (enable)
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
Alternatively you can copy the following lines into a registry script file (.reg) and run it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"fipsalgorithmpolicy"=dword:00000001
Note:
One thing that I am not certain off is that this option might be
available only on Windows XP Professional OSs and not in the basic
Windows XP OS. I havent been able to confirm this via documentation -
but the option is not available on my home machine (Windows XP), but is
available on my work machine (Windows XP Pro).
For Developers:
So what does this mean for
developers? If you ever envision your software running on a government
computer (especially in the US), you should turn on FIPS compliance
checking. This way, your application that uses cryptography algorithms
provided by the OS will work on all machines and you wont have to deal
with the "
Exception has been thrown by the target of an invocation".
For .NET Developers:
FIPS
compliance checking (if turned on in the local security policy) I think
was introduced starting in version 2.0 of .NET. Unfortunately, the MSDN
documentation on FIPS compliance is pretty skimpy and there is no list
of the algorithms in the "System.Security.Cryptography" namespace that
are FIPS compliant. (Also there is no property that can be checked or an
interface or base class that FIPS compliant algorithms implement -
which would allow for runtime checking - hint, hint MS).
So here is a quick list that I obtained by using reflection (C# code is below)
FIPS compliant Algorithms:
Hash algorithms
HMACSHA1
MACTripleDES
SHA1CryptoServiceProvider
Symmetric algorithms (use the same key for encryption and decryption)
DESCryptoServiceProvider
TripleDESCryptoServiceProvider
Asymmetric algorithms (use a public key for encryption and a private key for decryption)
DSACryptoServiceProvider
RSACryptoServiceProvider
Algorithms that are not FIPS compliant
HMACMD5
HMACRIPEMD160
HMACSHA256
HMACSHA384
HMACSHA512
MD5CryptoServiceProvider
RC2CryptoServiceProvider
RijndaelManaged
RIPEMD160Managed
SHA1Managed